Trang chủ Khám phá Trợ giúp
Đăng ký Đăng nhập
jeremy
/
HON95-wiki
mirror of https://github.com/HON95/wiki
1
0
Fork 0
Các tập tin Các vấn đề 0 Wiki
Browse Source

CF stuff

HON95 11 tháng trước cách đây
mục cha
285148afc8
commit
4d5f7cbbae
2 tập tin đã thay đổi với 67 bổ sung0 xóa
Split View Hiển thị tình trạng sai khác
  1. 57 0
      cloud/cloudflare.md
  2. 10 0
      services/ptp.md

+ 57 - 0
cloud/cloudflare.md
Xem Tập Tin 

@@ -0,0 +1,57 @@
 
+---
 
+title: Cloudflare
 
+breadcrumbs:
 
+- title: Cloud
 
+---
 
+{% include header.md %}
 
+
 
+Mostly a list of how I like things in Cloudflare, for the very few features I use.
 
+
 
+## DNS Hosting
 
+
 
+- Plan: Free
 
+- DNS:
 
+    - DNSSEC: Yes (no multi-signer)
 
+- Boilerplate records (using zone "example.net"):
 
+        - `CNAME @ "mario.example.net"` (where the main site is hosted)
 
+        - `CNAME www "mario.example.net"` (for redirect til non-www)
 
+        - `TXT @ "v=spf1 include:_spf.google.com ~all"` (including Google-mail, remove `include:` if not used)
 
+        - `TXT * "v=spf1 ~all"` (avoid mail from random subdomains)
 
+        - `TXT _dmarc "v=DMARC1; p=quarantine; pct=100;"`
 
+
 
+## HTTP Reverse Proxy
 
+
 
+- DNS proxy status (traffic through Cloudflare):
 
+    - Enabled for most HTTP/HTTPS sites that behave properly and I want better cached performance and extra security for (e.g. main site).
 
+- SSL/TLS:
 
+    - Mode: Full (strict) (with exception through page rules)
 
+    - Always use HTTPS: Yes
 
+    - HSTS: On, no max-age, don't include subdomains, preload.
 
+    - Minimum TLS version: 1.2
 
+    - Origin certificates: Create for websites served through Cloudflare. Or just use Let's Encrypt (requires a non-HTTPS page rule for HTTP challenge).
 
+    - Authenticated Origin Pulls: Yes. Must be configured on the hosting webserver too to prevent direct connections.
 
+- Security:
 
+    - Security level: Low or Medium (default)
 
+- Caching:
 
+    - Boilerplate rules (example sites):
 
+        - "No cache (example.net)" (if the main site doesn't like caching, disable it):
 
+            - When: `hostname equals "example.net"`
 
+            - Then: Bypass cache.
 
+- Rules:
 
+    - Normalization type: Cloudflare (default)
 
+    - Normalize incoming URLs: True (default)
 
+    - Boilerplate rules (example sites):
 
+        - "ACME Flexible SSL" (configuration rule):
 
+            - When: `URI Path starts with "/.well-known/acme-challenge/"`
 
+            - Then: SSL mode Flexible.
 
+        - "Remove WWW" (redirect rule):
 
+            - When: `Hostname equals "www.example.net"`
 
+            - Then: Dynamic, `concat("https://example.net", http.request.uri.path)`, 301 (permanent), preserve query string.
 
+        - "Redirect to other site" (redirect rule) (if this domain doesn't have its own main site):
 
+            - When: `Hostname equals "example.example"`
 
+            - Then: Static, `https://example.net)`, 303 (temporary).
 
+- Network:
 
+    - Websockets: On
 
+    - gRPC: On
 
+
 
+{% include footer.md %}

+ 10 - 0
services/ptp.md
Xem Tập Tin 

@@ -404,15 +404,23 @@ ptp priority1 255
 
     - Only BC mode with 2-step is supported.
 
     - Only multicast UDP transport mode is supported.
 
     - Does not support management messages.
 
+    - Only PTPv2 profiles with E2E delays are supported, so P2P TCs can't be connected to ACI.
 
+    - Supported PTPv2 profiles:
 
+        - IEEE 1588-2008 (default)
 
+        - AES67-2015 (media)
 
+        - SMPTE 2059-2
 
+        - ITU-T G.8275.1 (telecom)
 
 - Fabric latency measurements:
 
     - One of the main use cases for PTP within ACI.
 
     - May be used together with atomic counters for a fuller image of what is happening in the network.
 
     - Used for measuring ongoing TEP-to-TEP latency and on-demand tenant latency (see the docs for details and examples).
 
     - Supports *average mode* and *histogram mode*.
 
 - Topology:
 
+    - A single PTP domain is used for the whole fabric, with all switches operating in BC mode.
 
     - To align with the PTP hierarchy of clocks and reduce the number of switches in the clock path, as well as reduce the difference in clock paths to leaf switches, the upstream clock should be connected to all spines.
 
     - For multi-pod architectures, the inter-pod network (IPN) may be a fitting place to connect the upstream clock to, such that the IPN redistributed the time from the same GMC to the spines in all the pods. When PTP it enabled for the fabric, it's also enabled on IPN uplinks on the spines, such that PTPv2 from the IPN routers can be received on VLAN 4.
 
     - By default, all ACI switches use a priority 1 of 255, while a single spine in each pod that uses priority 254.
 
+    - **TODO** BD/EPG and L3Out ports. Master supported? Config?
 
 - Resources:
 
     - [Cisco: Cisco ACI Latency and Precision Time Protocol](https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/kb/b_Cisco_ACI_Latency_and_Precision_Time_Protocol.html)
 
     - [Cisco: Cisco APIC System Management Configuration Guide, Release 6.0(x)](https://www.cisco.com/c/en/us/td/docs/dcn/aci/apic/6x/system-management-configuration/cisco-apic-system-management-configuration-guide-60x/precision-time-protocol-60x.html)
 
@@ -432,6 +440,8 @@ ptp priority1 255
 
         - Delay request interval: 1 (2s)
 
         - Announce timeout: 3s
 
     1. Go to the "Latency" tab and set "System Resolution" to 11.
 
+- Activate PTP on leaf ports:
 
+    1. **TODO**
 
 - Configure a latency measurement (when needed) (GUI):
 
     1. Go to "Tenants > the tenant > Policies > Troubleshooting > Atomic Counter and Latency".
 
     1. Click the configuration button and select the appropriate measurement type (e.g. EPG to EPG).